Abstract: An attack activity definition information database 111 stores, for a plurality of events, attack activity definition information describing an event, a precondition, and an achieved phenomenon. The event is observed by an information system when an attack against the information system is underway. The precondition is a prerequisite condition for the event to be observed. The achieved phenomenon is a phenomenon of the time after the event is observed. An event receiving part 108 receives observed event notice information notifying an observed event which is observed by the information system.

Abstract: A test memory extracting unit 110 extracts a test memory image 191 from a memory area of a target system. A template memory extracting unit 120 extracts a template memory image 192 from a template system not infected with malware. An injected code detecting unit 130 compares the test memory image 191 with the template memory image 192, and generates an injected code list 193. An injected code testing unit 140 generates a malicious code list 195 based on the injected code list 193 and a test rule list 194. A test result output unit 150 generates a test result file 196 based on the malicious code list 195.

Abstract: An information leakage prevention apparatus 100 receives, from a LAN 109, communication data transmitted by a PC 112 to Internet 111, and when the received data has been encrypted, analyzes a log describing content of data processing performed in the PC 112 and extracts a key used to encrypt the communication data in the PC 112. Further, the information leakage prevention apparatus 100 decrypts the communication data using the extracted key and determines whether or not a keyword is included in a decryption result. If the keyword is not included in the decryption result, the information leakage prevention apparatus 100 transmits the communication data to the Internet 111 through a WAN 110.

Abstract: In a log analysis cooperation system including a logger that collects a log of a communication device and stores the log in a storage device, a SIEM apparatus that detects an attack, and a log analysis apparatus that analyzes the log collected by the logger, a log analysis cooperation apparatus stores an attack scenario in a storage device, receives from the SIEM apparatus warning information including information on the detected attack, computes a predicted occurrence time of an attack predicted to occur subsequent to the detected attack based on the warning information and the attack scenario, and transmits to the log analysis apparatus a scheduled search to search the log at predicted occurrence time computed. The log analysis apparatus transmits a scheduled search to the logger to search the log at the predicted occurrence time.

Abstract: A progress status of an attack on an information system possibly carried out is visualized to display a warning to a user, without using a correlation rule. A table storage stores a past case table indicating a phase string obtained by concatenating phase values indicating attack progress degrees according to an event occurrence pattern in a past case. A phase string generator obtains a phase string by concatenating phase values according to the occurrence pattern of events that have occurred in the information system. A similarity degree calculator calculates a similarity degree between the obtained phase string and the phase string indicated in the past case table. An attack status visualization unit visualizes the progress status of the attack on the information system, based on the obtained phase string and a result of calculation of the similarity degree by the similarity degree calculator.

Abstract: Whether or not there is an attack that cannot be detected using signature information is determined without performing an enormous number of verifications. A signature detection not-applicable data pattern extracting part analyzes signature information and extracts a pattern of data which is not detected using the signature information. An attack data pattern extracting part analyzes a target program to which the signature information is to be applied, and extracts a pattern of attack data that attacks the target program. A pattern comparing part compares a signature detection not-applicable data pattern extracted by the signature detection not-applicable data pattern extracting part with an attack data pattern extracted by the attack data pattern extracting part, and extracts an attack data pattern coinciding with the signature detection not-applicable data pattern, as an attack data pattern not detected using the signature information.

Abstract: Scripts describing procedures usually used by attackers in a programming language are pre-accumulated. A script selected by the user out of the accumulated scripts is executed, which calls a plugin with logic implemented for attacking each security hole. This plugin is executed on a test target computer, which allows removing the necessity of the user having security knowledge about such as input/output relationship between test execution units.